Low disk space warning, configurable in Settings

- The space poller now carries a permanent backend-owned watcher on the boot volume (dedupes with pane watchers, so no extra statfs when a pane already shows it) and a hysteresis detector: fires once when free space crosses below the threshold, re-arms only after recovering 1 point above it.
- New `low-disk-space` event + `set_low_disk_space_config` live-apply command; startup seeds from `settings.json`.
- Two new settings under Behavior > File system watching > Low disk space: mode (In-app | macOS notification | Off, default In-app) and threshold percent (default 5, range 1-50). Not FDA-gated (statfs needs no TCC).
- In-app mode shows a persistent WARN toast (per-volume dedup id) with a "Disable these notifications" action that flips the mode off and deep-links to the Settings sub-group. macOS mode sends a native notification.
- Extracted the macOS notification permission flow from the downloads bridge into shared `lib/notifications/macos-notification-permission.ts`.
- Tests: Rust hysteresis unit tests, FE bridge/mode/toast tests + a11y, section render contract updates.

Author: vdavid

apps/desktop/src-tauri/src/ipc.rs

@@ -248,6 +248,7 @@ pub fn builder() -> Builder<tauri::Wry> {
         crate::space_poller::watch_volume_space,
         crate::space_poller::unwatch_volume_space,
         crate::space_poller::set_disk_space_threshold,
+        crate::space_poller::set_low_disk_space_config,
         #[cfg(target_os = "macos")]
         crate::commands::volumes::list_volumes,
         #[cfg(target_os = "macos")]

apps/desktop/src-tauri/src/ipc_collectors.rs

@@ -121,6 +121,7 @@ pub(crate) fn collect_cross_platform_types(types: &mut Types) -> Vec<Function> {
         crate::space_poller::watch_volume_space,
         crate::space_poller::unwatch_volume_space,
         crate::space_poller::set_disk_space_threshold,
+        crate::space_poller::set_low_disk_space_config,
         crate::commands::crash_reporter::check_pending_crash_report,
         crate::commands::crash_reporter::dismiss_crash_report,
         crate::commands::crash_reporter::send_crash_report,

apps/desktop/src-tauri/src/lib.rs

@@ -569,9 +569,13 @@ pub fn run() {
             file_system::set_filter_safe_save_artifacts(saved_settings.filter_safe_save_artifacts.unwrap_or(true));
             file_system::set_smb_concurrency(saved_settings.smb_concurrency.unwrap_or(10) as usize);
 
-            // Initialize disk space poller (live status bar updates)
+            // Initialize disk space poller (live status bar updates + low-disk-space warning)
             space_poller::init(app.handle());
             space_poller::set_threshold_mb(saved_settings.disk_space_change_threshold_mb.unwrap_or(1));
+            space_poller::configure_low_disk_space(
+                saved_settings.low_disk_space_enabled(),
+                saved_settings.low_disk_space_threshold_percent.unwrap_or(5),
+            );
             space_poller::start();
 
             // Upgrade existing SMB mounts to direct smb2 connections (background, non-blocking).

apps/desktop/src-tauri/src/settings/CLAUDE.md

@@ -30,6 +30,8 @@ Settings {
     direct_smb_connection: Option<bool>,   // from "network.directSmbConnection"
     mtp_enabled: Option<bool>,             // from "fileOperations.mtpEnabled"
     disk_space_change_threshold_mb: Option<u64>, // from "advanced.diskSpaceChangeThreshold"
+    low_disk_space_notifications: Option<String>,    // from "behavior.fileSystemWatching.lowDiskSpaceNotifications"; `low_disk_space_enabled()` maps any mode but "off" (or missing) to enabled
+    low_disk_space_threshold_percent: Option<u64>,   // from "behavior.fileSystemWatching.lowDiskSpaceThresholdPercent" (default 5)
     max_log_storage_mb: Option<u64>,               // from "advanced.maxLogStorageMb"
     error_reports_enabled: Option<bool>,           // from "updates.errorReports" (Flow B opt-in, default off)
     network_enabled: Option<bool>,                 // from "network.enabled" (default on; off renders picker as "Network (disabled)")

apps/desktop/src-tauri/src/settings/loader.rs

@@ -56,6 +56,10 @@ pub struct Settings {
     pub mtp_enabled: Option<bool>,
     #[serde(alias = "advanced.diskSpaceChangeThreshold", default)]
     pub disk_space_change_threshold_mb: Option<u64>,
+    #[serde(alias = "behavior.fileSystemWatching.lowDiskSpaceNotifications", default)]
+    pub low_disk_space_notifications: Option<String>,
+    #[serde(alias = "behavior.fileSystemWatching.lowDiskSpaceThresholdPercent", default)]
+    pub low_disk_space_threshold_percent: Option<u64>,
     #[serde(alias = "network.smbConcurrency", default)]
     pub smb_concurrency: Option<u16>,
     #[serde(alias = "advanced.maxLogStorageMb", default)]
@@ -78,6 +82,14 @@ fn default_show_hidden() -> bool {
     true
 }
 
+impl Settings {
+    /// Whether the low-disk-space warning is on: any mode except `"off"`.
+    /// A missing key means the registry default (`"in-app"`), so enabled.
+    pub fn low_disk_space_enabled(&self) -> bool {
+        self.low_disk_space_notifications.as_deref() != Some("off")
+    }
+}
+
 impl Default for Settings {
     fn default() -> Self {
         Self {
@@ -93,6 +105,8 @@ impl Default for Settings {
             filter_safe_save_artifacts: None,
             mtp_enabled: None,
             disk_space_change_threshold_mb: None,
+            low_disk_space_notifications: None,
+            low_disk_space_threshold_percent: None,
             smb_concurrency: None,
             max_log_storage_mb: None,
             error_reports_enabled: None,
@@ -149,6 +163,13 @@ fn parse_settings(contents: &str) -> Result<Settings, serde_json::Error> {
     let filter_safe_save_artifacts = json.get("advanced.filterSafeSaveArtifacts").and_then(|v| v.as_bool());
     let mtp_enabled = json.get("fileOperations.mtpEnabled").and_then(|v| v.as_bool());
     let disk_space_change_threshold_mb = json.get("advanced.diskSpaceChangeThreshold").and_then(|v| v.as_u64());
+    let low_disk_space_notifications = json
+        .get("behavior.fileSystemWatching.lowDiskSpaceNotifications")
+        .and_then(|v| v.as_str())
+        .map(String::from);
+    let low_disk_space_threshold_percent = json
+        .get("behavior.fileSystemWatching.lowDiskSpaceThresholdPercent")
+        .and_then(|v| v.as_u64());
     let smb_concurrency = json
         .get("network.smbConcurrency")
         .and_then(|v| v.as_u64())
@@ -174,6 +195,8 @@ fn parse_settings(contents: &str) -> Result<Settings, serde_json::Error> {
         filter_safe_save_artifacts,
         mtp_enabled,
         disk_space_change_threshold_mb,
+        low_disk_space_notifications,
+        low_disk_space_threshold_percent,
         smb_concurrency,
         max_log_storage_mb,
         error_reports_enabled,

apps/desktop/src-tauri/src/space_poller.rs

@@ -6,16 +6,24 @@
 //!
 //! Poll intervals are per-volume-type via `Volume::space_poll_interval()`:
 //! local volumes poll every 2 s, network/MTP every 5 s.
-
-use log::{debug, warn};
+//!
+//! Also owns the low-disk-space warning: a permanent, backend-owned watcher on
+//! the boot volume (so the check works even when neither pane shows it) feeds
+//! a hysteresis detector that emits a `low-disk-space` event when free space
+//! crosses below the user-configured percent threshold. The poll loop already
+//! deduplicates by volume id, so a pane watching the boot volume shares the
+//! same single `statfs` per tick with the permanent watcher.
+
+use log::{debug, info, warn};
 use serde::Serialize;
 use std::collections::HashMap;
-use std::sync::atomic::{AtomicU64, Ordering};
+use std::sync::atomic::{AtomicBool, AtomicU64, Ordering};
 use std::sync::{Mutex, OnceLock};
 use std::time::Duration;
 use tauri::{AppHandle, Emitter};
 
 use crate::file_system::get_volume_manager;
+use crate::file_system::volume::DEFAULT_VOLUME_ID;
 
 /// Global app handle for emitting events.
 static APP_HANDLE: OnceLock<AppHandle> = OnceLock::new();
@@ -33,6 +41,30 @@ static LAST_SPACE: OnceLock<Mutex<HashMap<String, CachedSpace>>> = OnceLock::new
 /// Change threshold in bytes. Updated at runtime from settings.
 static THRESHOLD_BYTES: AtomicU64 = AtomicU64::new(1_048_576); // 1 MB default
 
+/// Whether the low-disk-space warning is on. Mirrors the
+/// `behavior.fileSystemWatching.lowDiskSpaceNotifications` setting
+/// (`true` for any mode but "off"; the registry default is "in-app").
+static LOW_SPACE_ENABLED: AtomicBool = AtomicBool::new(true);
+
+/// Free-space percent threshold for the low-disk-space warning. Mirrors the
+/// `behavior.fileSystemWatching.lowDiskSpaceThresholdPercent` setting.
+static LOW_SPACE_THRESHOLD_PERCENT: AtomicU64 = AtomicU64::new(5);
+
+/// Hysteresis state: `true` means the detector may fire on the next crossing
+/// below the threshold. Disarmed after firing; re-armed once free space climbs
+/// back above threshold + [`LOW_SPACE_REARM_MARGIN_PERCENT`].
+static LOW_SPACE_ARMED: AtomicBool = AtomicBool::new(true);
+
+/// Re-arm margin in percentage points. Without it, free space oscillating
+/// around the exact threshold (a download writing and deleting temp files)
+/// would fire a warning on every dip.
+const LOW_SPACE_REARM_MARGIN_PERCENT: f64 = 1.0;
+
+/// Watcher id for the permanent backend-owned boot-volume entry. Lives in the
+/// same `WATCHED` map as the pane watchers so the dedup-by-volume-id logic
+/// merges it with a pane that happens to show the boot volume.
+const LOW_SPACE_BOOT_WATCHER_ID: &str = "low-space:boot";
+
 /// Default poll interval for volumes not registered in VolumeManager.
 const DEFAULT_POLL_INTERVAL: Duration = Duration::from_secs(2);
 
@@ -61,6 +93,17 @@ struct VolumeSpaceChangedPayload {
     available_bytes: u64,
 }
 
+/// Payload for the `low-disk-space` Tauri event.
+#[derive(Clone, Serialize)]
+#[serde(rename_all = "camelCase")]
+struct LowDiskSpacePayload {
+    volume_id: String,
+    total_bytes: u64,
+    available_bytes: u64,
+    free_percent: f64,
+    threshold_percent: u64,
+}
+
 /// Stores the app handle. Call once during setup.
 pub fn init(app: &AppHandle) {
     let _ = APP_HANDLE.set(app.clone());
@@ -73,6 +116,27 @@ pub fn set_threshold_mb(mb: u64) {
     THRESHOLD_BYTES.store(mb.saturating_mul(1_048_576), Ordering::Relaxed);
 }
 
+/// Applies the low-disk-space warning config (at startup and live from Settings).
+///
+/// Registers or removes the permanent boot-volume watcher so the extra
+/// `statfs` goes away entirely when the warning is off. Always re-arms the
+/// detector: a changed threshold should re-evaluate against the current free
+/// space on the next poll.
+pub fn configure_low_disk_space(enabled: bool, threshold_percent: u64) {
+    LOW_SPACE_ENABLED.store(enabled, Ordering::Relaxed);
+    LOW_SPACE_THRESHOLD_PERCENT.store(threshold_percent.clamp(1, 99), Ordering::Relaxed);
+    LOW_SPACE_ARMED.store(true, Ordering::Relaxed);
+    if enabled {
+        watch(
+            LOW_SPACE_BOOT_WATCHER_ID.to_string(),
+            DEFAULT_VOLUME_ID.to_string(),
+            "/".to_string(),
+        );
+    } else {
+        unwatch(LOW_SPACE_BOOT_WATCHER_ID);
+    }
+}
+
 /// Registers (or updates) a watcher for live space updates.
 ///
 /// `watcher_id` is typically a pane ID ("left"/"right"). Multiple watchers
@@ -125,6 +189,13 @@ pub fn set_disk_space_threshold(mb: u64) {
     set_threshold_mb(mb);
 }
 
+/// Updates the low-disk-space warning config at runtime (from settings).
+#[tauri::command]
+#[specta::specta]
+pub fn set_low_disk_space_config(enabled: bool, threshold_percent: u64) {
+    configure_low_disk_space(enabled, threshold_percent);
+}
+
 /// The core loop. Ticks every second; each volume is polled at its own cadence.
 async fn poll_loop() {
     let mut tick: u64 = 0;
@@ -184,6 +255,13 @@ async fn poll_loop() {
                 _ => continue, // timeout or no data: skip this tick
             };
 
+            // The low-space check sees every fetch, not just the ones that
+            // pass the change-threshold gate below: a slow leak smaller than
+            // the 1 MB emit threshold must still trip the warning.
+            if volume_id == DEFAULT_VOLUME_ID {
+                check_low_space(&volume_id, &space);
+            }
+
             if exceeds_threshold(&volume_id, &space, threshold) {
                 update_cache(&volume_id, &space);
                 emit(&volume_id, &space);
@@ -192,6 +270,64 @@ async fn poll_loop() {
     }
 }
 
+/// Runs the hysteresis detector on a fresh boot-volume space fetch and emits
+/// `low-disk-space` when the free percent crosses below the threshold.
+fn check_low_space(volume_id: &str, space: &CachedSpace) {
+    if !LOW_SPACE_ENABLED.load(Ordering::Relaxed) {
+        return;
+    }
+    let threshold = LOW_SPACE_THRESHOLD_PERCENT.load(Ordering::Relaxed);
+    let free = free_percent(space.total_bytes, space.available_bytes);
+    let armed = LOW_SPACE_ARMED.load(Ordering::Relaxed);
+    let (new_armed, fire) = low_space_transition(armed, free, threshold as f64);
+    LOW_SPACE_ARMED.store(new_armed, Ordering::Relaxed);
+    if fire {
+        emit_low_disk_space(volume_id, space, free, threshold);
+    }
+}
+
+/// Free space as a percent of total. Treats an unknown total (0) as not-low
+/// so a bogus fetch can't fire a false warning.
+fn free_percent(total_bytes: u64, available_bytes: u64) -> f64 {
+    if total_bytes == 0 {
+        return 100.0;
+    }
+    available_bytes as f64 / total_bytes as f64 * 100.0
+}
+
+/// The pure hysteresis step: `(armed, free, threshold)` → `(new_armed, fire)`.
+///
+/// Fires exactly once per crossing below the threshold; re-arms only after
+/// free space recovers above threshold + [`LOW_SPACE_REARM_MARGIN_PERCENT`],
+/// so oscillation around the boundary can't re-fire.
+fn low_space_transition(armed: bool, free_percent: f64, threshold_percent: f64) -> (bool, bool) {
+    if armed && free_percent < threshold_percent {
+        return (false, true);
+    }
+    if !armed && free_percent >= threshold_percent + LOW_SPACE_REARM_MARGIN_PERCENT {
+        return (true, false);
+    }
+    (armed, false)
+}
+
+fn emit_low_disk_space(volume_id: &str, space: &CachedSpace, free_percent: f64, threshold_percent: u64) {
+    let Some(app) = APP_HANDLE.get() else { return };
+    let payload = LowDiskSpacePayload {
+        volume_id: volume_id.to_string(),
+        total_bytes: space.total_bytes,
+        available_bytes: space.available_bytes,
+        free_percent,
+        threshold_percent,
+    };
+    info!(
+        "low-disk-space: {} at {:.1}% free ({} of {} bytes), threshold {}%",
+        volume_id, free_percent, space.available_bytes, space.total_bytes, threshold_percent
+    );
+    if let Err(e) = app.emit("low-disk-space", &payload) {
+        warn!("Failed to emit low-disk-space: {}", e);
+    }
+}
+
 /// Fetches space info for a filesystem path using the platform API.
 /// Used as a fallback when the volume is not registered in VolumeManager.
 fn fetch_space_for_path(path: &str) -> Option<CachedSpace> {
@@ -259,3 +395,74 @@ fn emit(volume_id: &str, space: &CachedSpace) {
         warn!("Failed to emit volume-space-changed: {}", e);
     }
 }
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn fires_once_when_crossing_below_threshold() {
+        let (armed, fire) = low_space_transition(true, 4.9, 5.0);
+        assert!(!armed);
+        assert!(fire);
+    }
+
+    #[test]
+    fn does_not_fire_above_threshold() {
+        let (armed, fire) = low_space_transition(true, 5.0, 5.0);
+        assert!(armed);
+        assert!(!fire);
+    }
+
+    #[test]
+    fn does_not_refire_while_disarmed() {
+        let (armed, fire) = low_space_transition(false, 3.0, 5.0);
+        assert!(!armed);
+        assert!(!fire);
+    }
+
+    #[test]
+    fn stays_disarmed_inside_rearm_margin() {
+        // Recovered above the threshold but not past the margin: no re-arm,
+        // so a dip back under 5% can't fire again.
+        let (armed, fire) = low_space_transition(false, 5.5, 5.0);
+        assert!(!armed);
+        assert!(!fire);
+    }
+
+    #[test]
+    fn rearms_past_the_margin_then_fires_on_next_crossing() {
+        let (armed, fire) = low_space_transition(false, 6.0, 5.0);
+        assert!(armed);
+        assert!(!fire);
+        let (armed, fire) = low_space_transition(armed, 4.0, 5.0);
+        assert!(!armed);
+        assert!(fire);
+    }
+
+    #[test]
+    fn oscillation_around_threshold_fires_once() {
+        // 5.2 → 4.8 → 5.2 → 4.8: one warning, not two.
+        let mut armed = true;
+        let mut fires = 0;
+        for free in [5.2, 4.8, 5.2, 4.8] {
+            let (next, fire) = low_space_transition(armed, free, 5.0);
+            armed = next;
+            if fire {
+                fires += 1;
+            }
+        }
+        assert_eq!(fires, 1);
+    }
+
+    #[test]
+    fn free_percent_handles_zero_total() {
+        // Unknown total must read as not-low (no false warning on a bogus fetch).
+        assert_eq!(free_percent(0, 0), 100.0);
+    }
+
+    #[test]
+    fn free_percent_computes_fraction() {
+        assert!((free_percent(1000, 50) - 5.0).abs() < f64::EPSILON);
+    }
+}

apps/desktop/src/lib/downloads/CLAUDE.md

@@ -33,9 +33,10 @@ Backend counterpart: [`src-tauri/src/downloads/CLAUDE.md`](../../../src-tauri/sr
 - `'both'` → both.
 - `'neither'` → no-op.
 
-The macOS native path also asks the OS for permission the first time a session needs it. On denial we surface a single
-INFO toast with a stable dedup id; we DON'T flip the user's setting and we DON'T retry. The user can re-enable in System
-Settings whenever; their preference stays put.
+The macOS native path asks the OS for permission via the shared `$lib/notifications/macos-notification-permission.ts`
+helper (also used by `lib/low-disk-space/`): session-cached answer, a single INFO toast with a stable dedup id on
+denial, no retries, and we DON'T flip the user's setting. The user can re-enable in System Settings whenever; their
+preference stays put.
 
 ## Snapshot-at-creation rule